Firewalla VPN Client is a service running on your Firewalla box that enables you to direct any home device to a VPN connection; VPN clients provide a secure and encrypted connection between the user and the internet, making it difficult for outsiders to access sensitive information.
- What is Firewalla VPN Client?
What is Firewalla VPN Client?
With a Firewalla VPN client, you can send any device (even if they can't install VPN software) or any type of traffic to a VPN Server/Service. You can create three types of VPN connections:
- Site to Site VPN
- Remote Access VPN
- 3rd-Party VPN (Verified 3rd-Party VPN services)
|Site to Site VPN**||Remote Access VPN||3rd-Party VPN|
|Network Access||Bi-directional||One way||One way|
|Box Requirement||2 Firewalla Boxes||2 Firewalla Boxes||1 Firewalla Box|
1 Wireguard is not supported on Firewalla Red and Blue.
2 Firewalla AnyConnect VPN client supports SSL, not IKEv2.
Please refer to this document for more information about Site to Site VPN.
Firewalla VPN Client is not available for boxes in Transparent Bridge Mode.
3rd-Party VPN Server
You have many devices at home, all connected to a router that provides access to the Internet. You worry that your ISP can see your internet traffic and log your browsing history. Or, you're in a location where some websites you want to use are inaccessible.
You paid for a 3rd party VPN Service to protect your online traffic from snooping, interference, and censorship. But you have to install VPN Clients on all your devices to get them connected to the 3rd party VPN Service, and you have to manage them (all your laptops, smartphones, tablets, and gaming consoles) with apps on different platforms. Some of your devices may not even be able to install a VPN client app. Or, you want to watch Netflix on Apple TV, but it's not supported in your location.
Firewalla VPN Client enables you to connect your network to a 3rd party VPN Server. You don't need to install individual VPN apps on all your devices– just enable the VPN Client on the Firewalla app and select which device you want to connect to the 3rd party VPN Server.
Due to how each 3rd party VPN Server operates, Firewalla cannot guarantee performance. The speed of your VPN connection depends on how the server allocates bandwidth.
Remote Access VPN
When working from home, you must access your company network to see files and printers or connect to a computer.
You want to have an easy way to access company resources remotely while you are at home. Your company wants to provide a secure way to access its network.
Remote access VPNs enable you to connect to your office network from anywhere securely. This is an encrypted channel that is only visible one way. This setup requires 2 Firewalla boxes– one as the VPN server, the other as the VPN client. Read more in our article about Firewalla's VPN Server.
Site to Site VPN
Your company has offices at two different sites. The headquarters and the subsidiary office have separate networks with computers and servers connected.
Someone sitting at a computer in headquarters is not able to access the server at the subsidiary office, and vice versa.
Site-to-site VPNs allow you to connect two separate networks. Devices in one network can reach devices in the other network under strong encryption. You can read more in our article about Firewalla Site to Site VPNs.
How do I use Firewalla VPN Client?
Step 1: Create a VPN connection
- Tap on the VPN Client button on your box's main page.
- Tap on + Create VPN Connection to create a new profile/connection. You can create up to 9 VPN connections in total.
- Select what type of VPN connection you'd like to create: Site to Site VPN, Remote Access VPN, or 3rd-Party VPN.
- If you select 3rd-Party VPN, you'll need to choose a protocol:
- OpenVPN: You can create an OpenVPN connection by importing or manually filling in your VPN server profile information. Follow your VPN server's manual for the credentials (username and password) or profile required for the VPN connection. Here is a detailed guide on several verified OpenVPN providers.
- WireGuard: If your WireGuard service has provided a VPN profile or a QR code containing VPN configurations, you can import the profile or scan the QR code to create the connection. You can also copy and paste the configuration text to the app to create the connection from scratch.
AnyConnect (supported on Gold and Purple in router mode): With AnyConnect, you can connect any of your devices (or your entire network) to a VPN server with one tap.
- If your VPN service provider requires Multi-Factor Authentication, enable the option, and the app will ask for a one-time password (OTP) when connecting to the VPN.
- To have Firewalla auto-fill your OTP, tap One-Time Password, select Auto-Fill, then fill in the secret or tap the "[-]" icon on the right to scan the QR code provided by your VPN service provider. Please note that this only works if your VPN service provider allows you to generate your OTPs using a Secret or a QR code.
Step 2: Select Devices
After the connection is set up, you can selectively send your devices' network traffic through the VPN. Devices must be part of the Firewalla overlay network or in router mode to use the VPN.
- If you use DHCP mode, all your monitored devices are already in the Firewalla overlay network.
- If you use Simple mode, you must manually join your devices to the Firewalla overlay network. This is done by assigning a static IP address to the device. Here is a tutorial on how to join the overlay network in Simple mode.
- If you use Router mode, there is no need to do anything extra.
Step 3: Connect to VPN
There are two ways to connect:
- From the VPN Client page, tap on the connection you want to establish. Switch the VPN on, and the status will become "Connected."
- Tap the VPN button on the detail page of the device, network, or group you want to connect to, then select a VPN.
Firewalla can support up to 5 active VPN connections.
VPN Profile Configurations
After a VPN profile is set up, there are some options you can set.
- Server site subnets: The app will list all the subnets on the server site in this section. The outbound policy of all the subnets will be set to VPN, which means when VPN-enabled devices access those subnets from your local network, Firewalla will send the traffic via VPN.
Internet: Choose how VPN-enabled devices access the Internet.
- Direct means VPN-enabled devices will use their default gateway for Internet access.
- VPN means VPN-enabled devices will use their gateway on the VPN server site for Internet access.
Force DNS over VPN: Force VPN-enabled devices to use DNS over VPN or not.
- When it is on, DNS requests will be forwarded to the VPN server. DNS features like Ad Block, Family Mode, Safe Search, and DoH will not work on devices connected to VPN.
- When it is off, DNS requests will be forwarded to one Firewalla-managed DNS server. More detail can be found here: Firewalla DNS Services Introduction.
Internet Kill Switch: Automatically disconnect a device if the VPN is down. This option is ONLY available when the Internet option is set to VPN. When it is on, Firewalla will be able to:
- Detect and generate an alarm if VPN Connection encounters any error
- Auto disconnect the device's internet access if the VPN is down
- Detect and generate an alarm if the VPN Connection restores
- Policy-Based Routes: Firewalla policy-based routing can direct traffic locally or over a VPN. For more detail, see our article on Firewalla Policy-Based Routing.
- Delete This Profile: Delete a VPN profile permanently. All related rules will be removed from the box.
Common Issues and Fixes
- Firewalla VPN client does NOT support IPv6. IPv6 traffic will be blocked by Firewalla when the VPN is connected.
- Devices (i.e., laptop/phone/pad, etc.) should not use local DNS servers.
- Devices must be part of the Firewalla overlay network or in router mode to use VPN.
- On a Firewalla box, both the Firewalla VPN server and the Firewalla VPN client can run simultaneously.
- Firewalla VPN Client only supports one remote address. If the .ovpn file from your provider has multiple "remote xxxx..." addresses, please delete all but one of them.
Verified 3rd-party VPN services
These are verified by our test team and contributed by customers. Although we try to keep this updated, sometimes we can't catch up with service changes. If you do have issues, please post them to our forums.
Follow the steps below to set up ExpressVPN on Firewalla:
- Log into your account on the ExpressVPN website.
- Copy the Username & Password under Manual Configuration -> OpenVPN (https://www.expressvpn.com/setup#manual), and paste it into the Firewalla app -> VPN Client -> Profile -> Create 3rd Party VPN.
- Download the OpenVPN file and import the profile to the Configuration section. Or, you can open the file and copy and paste the content in the text field.
- Save the profile, and you are ready to connect.
Note: For the username and password, please use the separate credential dedicated to VPN connections from their setup website. Do not use your ExpressVPN app account username and password.
Follow the steps below to set up Surfshark on Firewalla:
- Log into the Surfshark website. Find your Surfshark service credentials. Pick a server (location) and download the configuration file.
- Open the Firewalla App -> VPN Client -> Profile -> Create 3rd Party VPN. Enter your Surfshark account credentials.
- Import the config file you downloaded previously. Or, you can open the file and copy and paste the content in the text field.
- Save the profile, and you are ready to connect.
Follow the steps below to set up NordVPN on Firewalla:
- Go to the server picker on the NordVPN website. Tap on the Show available protocols button. Download the configuration file for the connection protocol you want to use.
- Open the Firewalla App -> VPN Client -> Profile -> Create 3rd Party VPN. Enter your NordVPN account credentials. You can find your NordVPN service credentials (username and password) in the Nord Account dashboard. Copy the credentials using the "Copy" buttons on the right.
- Import the config file you downloaded previously from the NordVPN website. Or, you can open the file and copy and paste the content in the text field.
- Save the profile, and you are ready to connect.
Smart DNS Proxy
IPVanish VPN (Requires additional configuration)
Per IPVanish support, new IPVanish profiles will have CA cert content embedded. The steps below should no longer be necessary, but they are here in case of problems.
- Find the two profiles below: "ipvanish-XX-XX-XXX-XXX.ovpn" and "ca.ipvanish.com.crt".
- Open the file 'ca.ipvanish.com.crt' using a text editor and copy all the content.
- Open file 'ipvanish-XX-XX-XXX-XXX.ovpn' using a text editor and find the line "caca.ipvanish.com.crt".
- Replace the line with the following content:
[Paste the content of ca.ipvanish.com.crt here]
- Save it and import the new file into your Firewalla VPN Client.
PureVPN (Requires additional configuration)
Before importing your PureVPN profile to Firewalla, open the profile in a text editor and remove these two entries:
route 0.0.0.0 0.0.0.0
You'll also need to find your username and password on PureVPN. Here's how to easily find your existing VPN password.
Follow the steps below to set up ProtonVPN on Firewalla:
- Log into the web-based dashboard at account.protonvpn.com using your account credentials (the ones you set up during account creation).
- Select Downloads in the left navigation bar on the ProtonVPN dashboard. Find the OpenVPN configuration files section and choose (platform: Router; Protocol: UDP). Download the configuration file from ProtonVPN.
- Open the Firewalla App -> VPN Client -> Profile -> Create 3rd Party VPN. Enter your OpenVPN/IKEv2 username and password. Copy the credentials using the "Copy" buttons on the right and paste them into the "username" and "password" fields.
- Import the configuration file to the Firewalla app.
Contributions from our users:
- Firewalla VPN Client is compatible with Private Internet Access
- Tutorial on using WireGuard via NordVPN
This is confusing. I am in beta mode and cannot find a VPN Client button on the Firewalla app. Can you be more clear as to the steps required to access this Button?
The Box & App should both be in Beta to use this feature.
Go Settings->Advanced -> Beta program, switch on "Join Box beta program"
If you are using iOS, make sure you have installed the latest version App 1.31(15) from TestFlight.
If you are using Android, the feature is coming shortly after, please be patient.
Was wondering when the ability of username and password authentication be available?
I downloaded the OpenVPN profile from my NordVPN account and imported it into the Firewalla app. The issue is that your app allows saving the NordVPN profile password but not the username so I cannot connect.
Sorry for the trouble. We are working on it. No committed date on that yet. We have a bunch of features coming together...
Is there an example on how to create a new profile if I want to use a 3rd party VPN provider?
Usually the ovpn file should be provided by the 3rd party VPN provider instead of writing your own.
And you can import the ovpn file or create a new profile (and copy/paste the content). We'll make a video on that soon.
And please be aware that this is still beta and username+password is not supported yet.
Hi Firewalla Team,
if I SSH into /home/pi/.firewalla/run/ovpn_profile
could I place an ovpn and auth file in that folder that the firewalla device would recognize?
I have a 3rd party VPN but it requires Username and Password.
Not really. There are a couple of other places need to update.
I suggest you wait for our next release, which natively supports the username and password.
The release will be pushed to alpha branch in next 1-2 days.
Just testing this now. On Android there is no option to import a profile, also when pasting one in, the "save" button stays greyed out.
Using iOS is more successful, I can import a profile, did a UDP and TCP from NordVPN. Next I see that I need to move devices from simple mode to static IPs on 192.168 network, so I fix two of my devices, they now show on the overlay network, I enable them both, click save and it looks like it's working, but when I test my IP, they show my normal IP not the VPN address.
Question, do I need a blue Firewalls for this to work?
Im beta user. When I clicked on to use 3rd party VPN, it didn't show me to import file. Only manual configuration is showed. If that's the case, how do we manual config it? Thank you.
Ok I spoke too soon, I went out and came back home and t looks like it works now.
Melvin, the latest Beta update (with notes "allows import of profiles") on Android still doesn't work. The import button now appears but when I browse to my Nord VPN UDP saved file, it's greyed out for me. Contrasting with my iOS experience, which works fine and am able to install a VPN profile fine. Just to add I'm on Android 9 using a Motorola G6
Thanks for trying. The import bug should have been fixed in latest version (2.44.26), please have a try.
Please upgrade to latest beta release (2.44.26), it has the import function.
@Melvin Tu, newest beta works great! Thanks for the quick release. Great job!
Any tips for getting ProtonVPN profiles working? My profile is verified working using a different client, but when Firewalla connects it just disconnects after a minute or so. Is there a way to view the connection logs?
I am trying to connect to ExpressVPN. I cannot load the configuration as my .ovpn file is greyed out.
Which app version are you using? It should be an old issue, and already fixed in latest app.
I am using the latest beta version
Can you send a screenshot of the import profile dialog, (which has the ovpn file in the window) to email@example.com?
I tried in latest beta and latest production app, it works.
Is there a way to use the 3rd party VPN service's DNS servers when connected via the VPN Client?
I am in Simple Mode, with my device's IP manually set to the overlay, and its DNS server set to 192.168.4.1 (my physical network gateway IP). Perhaps setting the DNS server to the Firewalla's overlay IP (192.168.218.1)?
Edit: setting the DNS server to the Firewalla's overlay IP seemed to work. When not using the VPN client, https://dnsleaktest.com/ says I'm using an AmazonAWS server, and when VPN is on, a different server whose location matches the location of my 3rd party VPN Server I'm connected to.
The DNS server of 3rd party VPN will be used automatically when VPN client is connected and VPN mode is turned on in device.
When VPN mode is turned off in device, even if the device is still in overlay network and VPN client is still connected, it will NOT use the DNS server of 3rd party VPN. (Basically device traffic will not be sent through VPN)
So do you want to use the 3rd party DNS server even if VPN mode is not turned on?
The DNS server of the 3rd party VPN was not used until I told my device to use the overlay DNS address (192.168.218.1) instead of anything else.
I agree that the 3rd party VPN DNS should only be used when the device is using the VPN client.
I was just pointing out that I didn't see any instructions on how to ensure the 3rd party VPN service's DNS server was used. (My Android defaulted to using Google's DNS when I set up the static IP, and using the physical DNS address 192.168.4.1 didn't switch to the 3rd party VPN when I enabled it for the phone)
This doesn't sound right. It should be reroute to VPN DNS as long as your are using overlay network.
Can you send remote support to firstname.lastname@example.org so that we can take a look?
I think it's working as it should. Until I specified my phone's DNS server to be the Firewalla overlay IP, the DNS didn't change when activating the VPN client for my phone (in the Firewalla app).
If that doesn't sounds right, let me know, and I'll see about setting up the remote support love.
Yes, please share remote support to email@example.com
Start heavy test on using ProtonVPN! At the moment this is the way which make it work on Firewalla BLUE!
Config: Server Config >> select country and click on download near to download profile!
INFO: Manual import profile as the Android App didn't import it automatically no matter if you click import profile! Manual import is working well and the config is readable as well!
Name your profile and put the required username and password!
Hello Firewalla Team.
I am struggling to configure the VPN client with ProtonVPN.
Using iOS app.
I downloaded from ProtonVPN the ‘Router’ and ‘UDP’ config file, as Ernesto highlighted in comment above. However once imported the config and entered username and password I receive an ‘Invalid Content’ pop up in the app and cannot progress further.
Any advice appreciated.
**UPDATE - SOLUTION**
I found a solution, I edited ProtonVPN's configuration file. I removed all but one of the lines that lists the same IP address but different ports.
i.e. From this
remote xx.xxx.xxx.xxx 80
remote xx.xxx.xxx.xxx 443
remote xx.xxx.xxx.xxx 4569
remote xx.xxx.xxx.xxx 1194
remote xx.xxx.xxx.xxx 5060
remote xx.xxx.xxx.xxx 1194
Please sign in to leave a comment.